Add file switch for pre-exec hooks #18331
Conversation
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
|
@giuseppe PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Should this say |
|
Good point @Luap99 , it probably should be either directory, but not both. Will specify that in the RHEL docs. |
openshift-ci
bot
added
release-note-none
and removed
do-not-merge/release-note-label-needed
TomSweeneyRedHat
added
the
do-not-merge/hold
|
Changing this up to check a file and then will do the reads if it is present. See #18347 for details. |
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/hooked
branch
from
cf1a35f to
6b7d93a
Compare
TomSweeneyRedHat
changed the title
TomSweeneyRedHat
removed
the
do-not-merge/hold
pkg/rootless/rootless_linux.c
Outdated
| @@ -254,6 +254,15 @@ do_preexec_hooks_dir (const char *dir, char **argv, int argc) | |||
| static void | |||
| do_preexec_hooks (char **argv, int argc) | |||
| { | |||
| FILE *preexec_ptr; | |||
There was a problem hiding this comment.
we are leaking this file when it is opened, it must be fclose'd()
There was a problem hiding this comment.
Oh shoot yes, rusty C, I'll fix that, TY
pkg/rootless/rootless_linux.c
Outdated
|
|
||
| // Open the preexec_hooks_dir indicator file in read mode | ||
| // return without processing if the file doesn't exist | ||
| preexec_ptr = fopen("/etc/containers/podman_preexec_hooks.txt", "r"); |
There was a problem hiding this comment.
since we are checking only its existence, we can just use access()
There was a problem hiding this comment.
And more rust flaking, I'd forgotten about access, that works out much nicer, ty.
|
So far I see discussion here and in #18347? Can we have that in one place please? We shouldn't backport anything before having it merged in main. It is still not clear why this change is made? Has this change been communicated to the customer who wants to use this feature? |
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/hooked
branch
from
6b7d93a to
2fb5c93
Compare
test/system/950-preexec-hooks.bats
Outdated
| preexec_hook_ok_file=/etc/containers/podman_preexec_hooks.txt | ||
| touch $preexec_hook_ok_file |
There was a problem hiding this comment.
These tests are run on local developer machines, please do not touch system wide config directories from within the tests. The rm below is not executed when the test error out before that or when I manually cancel for whatever reason.
cc @edsantiago
There was a problem hiding this comment.
@edsantiago happy to change this if there's a better way forward.
There was a problem hiding this comment.
Whoa, I hadn't even looked at system tests because this is so hellaciously confusing. So let me get this straight: the /etc/whatever file does not actually contain anything, it's just a semaphore saying "if this file exists, then it's okay for podman to run preexec hooks"? Bleagh. That is going to cost us support time in the future.
Anyhow, yeah, the touch thing, you can't do that. First, all rootless tests are going to fail. You need to skip_if_rootless. Second, you need to do the rm inside teardown(). Which will not have your $preexec_hook_ok_file defined, so please define that in outer scope (like between the loads and setup).
There was a problem hiding this comment.
we cannot do skip_if_rootless, this whole feature only runs rootless.
There was a problem hiding this comment.
I mean we could, but as I see this this feature was designed to prevent rootless user from doing stuff so not testing it as rootless is not great.
There was a problem hiding this comment.
hahahahahahaha, well, I guess we don't test then.
|
The reason for both places at once, is we have a very imminent deadline. We have to get this out preferably by noon today, by noon tomorrow at the latest. That's due to the RHEL schedule and the QE and packaging teams haveing holidays shortly. We have been talking with the customer. They have told us we can't pull the functionality, and security is also pulling on us to not deliver it in its current form. I'm playing the part of Milhouse here |
test/system/950-preexec-hooks.bats
Outdated
| PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 125 pull foobar | ||
| PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 125 pull barfoo |
There was a problem hiding this comment.
Third, please add error-message checks.
|
If this absolutely needs to get merged, and you really need tests, here's a possibility: |
The long term goal was to provide the customer a way to turn on the preexec_hooks processing of script by having some kind of configuration that could be read. I had tried putting it into containers.conf to start, but that turned out to be unyieldly quickly and time is of the essence for this fix. That is mostly due to the fact that this code is preexecution and in C, the conatiners.conf file is read in Go much further down the stack. After first trying this process using an ENVVAR, I have thought it over and chatted with others and will now look for a /etc/containers/podman_preexec_hooks.txt file to exist. If the admin had put one in there, we will then process the files in the directories `/usr/libexec/podman/pre-exec-hooks` and `/etc/containers/pre-exec-hooks`. Thoughts/suggestions gratefully accepted. This will be a 8.8/9.2 ZeroDay fix and will need to be backported to the v4.4.1-rhel branch. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/hooked
branch
from
2fb5c93 to
c8e423b
Compare
|
Updated this with Ed's test suggestion. |
|
and now it looks like I'm getting bit by a flake in the boltdb tests. @edsantiago do you concur? |
|
no, nothing to do with boltdb. Two of the flakes are known Cirrus ones, the other is our infamous unlinkat/EBUSY. I've restarted them all. |
|
And all green here, but less rush to merge. |
|
@giuseppe for some reason I can't reply to your question about "is this being tracked somewhere". This came in via the RHELBU feature that we have. There have been further discussions between Mark, Derrick Ornelas, and some of the Customer Experience people along with the customer. They are fine with this change as it stands in this PR. Product Security for RHEL was NOT fine with the code as it was before this change. They asked that we use either an EnvironmentVariable, which was admittedly securities second choice, or to read some config file to turn on the functionality. I started the change by using the EnvVar approach as it was very easy to code. We told the customer, and they came back as not being thrilled with that approach. So last night I worked on the change as you see it here. The conversations have been going on in Slack for the most part over the past day or two, and then via the PRs in GitHub. Hope that helps, as Ed said, it's ugly, but I'm trying to find a middle ground that's not extraordinarily ugly yet keeps the customer happy. |
|
Still green, and this is in Podman v4.2. Can we push it into main yet? @mheon? |
|
/lgtm |
|
Just ran across this. I'm not quite sure where "None" came from on the question as to whether this introduces a user-interfacing change, but we most certainly noticed it and given the hooks won't be executed without the existence of that flag file, I'd argue it definitely had a user-facing impact. For awareness, I'm the customer who requested this feature initially. I'd like to understand why this change was introduced? |
|
@JonnyWhatshisface If you are a customer please use your Red Hat support channels. Old PRs are generally never a good place to have a proper discussion. |
|
Just as a FWIW, the discussions are ongoing in the proper RHEL channels. |
github-actions
bot
added
the
locked - please file new issue/PR
The long term goal was to provide the customer with a way to turn on the
preexec_hooks processing of scripts by having some kind of configuration
that could be read. I had tried putting it into containers.conf to
start, but that turned out to be unyieldly quickly, and time is of
the essence for this fix. That is mostly due to the fact that this
code is preexecution and in C, the containers.conf file is read in
Go much further down the stack.
After first trying this process using an ENVVAR, I have
thought it over and chatted with others, and will now look for a
/etc/containers/podman_preexec_hooks.txt file to exist. If the admin
had put one in there, we will then process the files in the
directories
/usr/libexec/podman/pre-exec-hooksand
/etc/containers/pre-exec-hooks.Thoughts/suggestions gratefully accepted. This will be a 8.8/9.2 ZeroDay
fix and will need to be backported to the v4.4.1-rhel branch.
Signed-off-by: tomsweeneyredhat [email protected]
Does this PR introduce a user-facing change?